Skip to content

Commit

Permalink
chore(security): make rsa key pair only use once for sql login
Browse files Browse the repository at this point in the history
  • Loading branch information
baurine committed Sep 8, 2023
1 parent ded9a32 commit c0916bd
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 6 deletions.
9 changes: 9 additions & 0 deletions pkg/apiserver/user/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,15 @@ func NewAuthService(featureFlags *featureflag.Registry) *AuthService {
if err != nil {
return nil, errorx.Decorate(err, "authenticate failed")
}
if form.Type == 0 {
// generate new rsa key pair for each sql auth login
privateKey, publicKey, err := GenerateKey()
// if generate successfully, replace the old key pair
if err == nil {
service.RsaPrivateKey = privateKey
service.rsaPublicKey = publicKey
}

Check warning on line 132 in pkg/apiserver/user/auth.go

View check run for this annotation

Codecov / codecov/patch

pkg/apiserver/user/auth.go#L125-L132

Added lines #L125 - L132 were not covered by tests
}
return u, nil
},
PayloadFunc: func(data interface{}) jwt.MapClaims {
Expand Down
10 changes: 4 additions & 6 deletions pkg/apiserver/user/sqlauth/sqlauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@
package sqlauth

import (
"crypto/rsa"

"github.com/joomcode/errorx"
"go.uber.org/fx"

Expand All @@ -17,8 +15,8 @@ const typeID utils.AuthType = 0

type Authenticator struct {
user.BaseAuthenticator
tidbClient *tidb.Client
rsaPrivateKey *rsa.PrivateKey
tidbClient *tidb.Client
authService *user.AuthService
}

func NewAuthenticator(tidbClient *tidb.Client) *Authenticator {
Expand All @@ -29,7 +27,7 @@ func NewAuthenticator(tidbClient *tidb.Client) *Authenticator {

func registerAuthenticator(a *Authenticator, authService *user.AuthService) {
authService.RegisterAuthenticator(typeID, a)
a.rsaPrivateKey = authService.RsaPrivateKey
a.authService = authService
}

var Module = fx.Options(
Expand All @@ -38,7 +36,7 @@ var Module = fx.Options(
)

func (a *Authenticator) Authenticate(f user.AuthenticateForm) (*utils.SessionUser, error) {
plainPwd, err := user.Decrypt(f.Password, a.rsaPrivateKey)
plainPwd, err := user.Decrypt(f.Password, a.authService.RsaPrivateKey)
if err != nil {
return nil, user.ErrSignInOther.WrapWithNoMessage(err)
}
Expand Down

0 comments on commit c0916bd

Please sign in to comment.